b'  ENTERPRISE ARCHITECTURE\n\n                    EXECUTIVE SUMMARY\nAn OIG contractor (KPMG) performed a limited review of the Commission\xe2\x80\x99s\nenterprise architecture. Although the work was terminated early, KPMG prepared\nan Enterprise Architecture (EA) Management Maturity Scorecard (as of April 15,\n2004) which we shared with the Office of Information Technology. The scorecard\nshowed the extent of the Commission\xe2\x80\x99s progress and compliance with EA guidelines\nand best practices (as mandated by the Clinger-Cohen Act, the Office of\nManagement and Budget, the Government Accountability Office, and the Federal\nChief Information Officers\xe2\x80\x99 Council).\nThe Commission has taken several steps towards developing and documenting an\n\xe2\x80\x9cAs-Is\xe2\x80\x9d architecture in accordance for the most part with the Federal Enterprise\nArchitecture (FEA). We are recommending that the Office of Information\nTechnology (OIT) obtain business owner validation and support of the current \xe2\x80\x9cAs-\nIs\xe2\x80\x9d EA state; establish a communication strategy to introduce EA successfully\nthroughout the Commission; establish EA program plan provisions to ensure\nadequate compliance with project management processes, configuration\nmanagement, quality assurance, risk management, and security policies and\nprocedures; and complete an "As-Is" architecture with parallel mappings to the\nrequirements of the FEA Reference Models.\n\n\n                 SCOPE AND OBJECTIVES\nIn October 2003, we initiated an audit to assess the Commission\xe2\x80\x99s progress in\nestablishing an enterprise architecture (EA) as mandated by the Clinger-Cohen Act,\nthe Office of Management and Budget (OMB), and the Federal government\xe2\x80\x99s\nEnterprise Architecture Project Management Office (FEAPO). The objectives of the\naudit were to determine the:\n      \xe2\x80\xa2   Extent to which the Commission developed and documented an \xe2\x80\x9cas-is\xe2\x80\x9d\n          and \xe2\x80\x9cto-be\xe2\x80\x9d EA and migration strategy, and complied with Federal EA\n          guidelines and requirements;\n      \xe2\x80\xa2   Maturity level of the Commission\xe2\x80\x99s EA management processes using the\n          Government Accountability Office\xe2\x80\x99s (GAO) and the Federal Chief\n          Information Officer (CIO) Council\xe2\x80\x99s EA guidelines; and\n      \xe2\x80\xa2   Effectiveness of the Commission\xe2\x80\x99s management controls and processes to\n          manage its EA efforts.\n\x0c                                                                              P ag e   2\n\n\n\nTo perform the audit, we contracted with KPMG, LLP. However, in April 2004, we\ndiscontinued the audit for contractual reasons that were determined to be in the\nCommission\xe2\x80\x99s best interests.\nThe audit was performed in accordance with generally accepted government\nauditing standards.\n\n\n\n                           AUDIT RESULTS\nAlthough this audit was not completed, the work performed provides useful\nmanagement information. The Office of Information Technology can integrate this\ninformation into its implementation and design of EA management processes and\ncontrols.\nWe provided OIT with an EA Management Maturity Scorecard (as of April 15, 2004)\nof the Commission\xe2\x80\x99s progress and compliance with the EA guidelines and best\npractices (as mandated by the Clinger-Cohen Act, OMB, GAO, and the Federal CIO\nCouncil). The scorecard was based on the audit work performed by KPMG.\nBelow, we synopsize our understanding of the Commission\xe2\x80\x99s progress to implement\nan enterprise architecture and establish EA management controls, processes, and\nbest practices that comply with Federal EA requirements. Our conclusions are\nbased on the limited work performed by KPMG discussed above. Additional audit\nwork might have modified our conclusions.\nObjective 1: Determine the extent to which the Commission developed and\ndocumented an \xe2\x80\x9cas-is\xe2\x80\x9d and \xe2\x80\x9cto-be\xe2\x80\x9d EA, migration strategy, and whether the\nCommission was in compliance with Federal EA guidelines and\nrequirements.\nThe Commission has taken several steps towards developing and documenting an\n\xe2\x80\x9cAs-Is\xe2\x80\x9d architecture. The \xe2\x80\x98\xe2\x80\x9dAs-Is\xe2\x80\x9d architecture appears to be in accord for the most\npart with the FEA, as follows:\n\n   \xe2\x80\xa2   Business Reference Model (BRM) \xe2\x80\x93 The Commission\xe2\x80\x99s Business Reference\n       Model identifies the lines of business, functions, sub-functions, and processes\n       of the Commission and appears to be in accord with the BRM v2.0\n       descriptions.\n\n   \xe2\x80\xa2   Technical Reference Model (TRM) \xe2\x80\x93 The Commission\xe2\x80\x99s Technical Reference\n       Model identifies the current network infrastructure systems in the TRM\n       domain (Service Access & Delivery, Service Platform and Infrastructure,\n       Component Framework Service Area, Service Interface and Integration).\n\n   \xe2\x80\xa2   Service Reference Model (SRM) \xe2\x80\x93 The Commission\xe2\x80\x99s SRM efforts consist of\n       the Information Resource Catalog (IRC). While the Commission\xe2\x80\x99s Service\n       Reference Model is not compliant with the FEA\xe2\x80\x99s SRM, we understand that\n       OIT has begun to link the Information Resource Catalog to the Service\n       Reference Model.\n\n\n\nEN TERPRISE A RCHITECTU RE (AUDI T 381)                                                    MA\n\x0c                                                                             P ag e    3\n\n\n\n\n   \xe2\x80\xa2   Data Reference Model - a Logical Data Model (LDM) is under construction; a\n       benchmark analysis with the related FEA Data Reference Model was not\n       conducted (the DRM has not yet been released).\n\n   \xe2\x80\xa2   Performance Reference Model - planned initiatives for developing a\n       Performance Reference Model include consideration of performance measures\n       from the Government Performance and Results Act (GPRA); however, this\n       initiative has not yet started.\n\nThe Commission\xe2\x80\x99s current focus is on developing the "As-Is" architecture model. To\naccomplish this, business owners need to provide feedback to validate the model. In\naddition, completion of the applicable FEA reference models would also be helpful.\n\nThe Commission\'s plan to complete a "To-Be" and migration strategy depends upon\nthe accuracy and completeness of the "As-Is" architecture. At the time of the audit,\nOIT had not yet set a date for completion of the \xe2\x80\x9cTo-Be\xe2\x80\x9d architecture and migration\nstrategy.\n\nObjectives 2 & 3: Determine the maturity level of the Commission\xe2\x80\x99s EA\nmanagement processes using GAO\xe2\x80\x99s and the Federal CIO Council\xe2\x80\x99s EA\nguidelines; and effectiveness of the Commission\xe2\x80\x99s management controls\nand processes to manage its EA efforts.\n\nThe Commission\'s enterprise architecture work has several achievements. Some\nareas require further development.\n\nThe EA effort started in January 2001 and began with only limited OIT resources\nand contractor assistance. The focus has been on building an \xe2\x80\x9cAs Is\xe2\x80\x9d state with\nlimited involvement from the business units. As part of gathering EA information,\ninterviews with over 90% of mission areas have been conducted; however, the results\nhave not been verified with the business owners.\n\nOIT has established an EA Intranet web site for internally disseminating EA\ninformation. It has also employed the DesignBank software for its version\nmanagement and has developed a web based application, Securities and Exchange\nCommission Enterprise Architecture Repository (SECEAR) to satisfy management,\nmanagement information, and repository needs. OIT is developing and plans to\ncomplete development of the EA in accordance with the FEA.\n\nTo enhance the utility of the EA, OIT needs to take the following steps:\n\n   \xe2\x80\xa2   Obtain business owner validation and support of the current \xe2\x80\x9cAs-Is\xe2\x80\x9d EA\n       state;\n   \xe2\x80\xa2   Establish a communication strategy to introduce EA successfully throughout\n       the Commission;\n\n\n\n\nEN TERPRISE A RCHITECTU RE (AUDI T 381)                                                    MA\n\x0c                                                                         P ag e   4\n\n\n\n   \xe2\x80\xa2   Establish EA program plan provisions to ensure adequate compliance with\n       project management processes, configuration management, quality\n       assurance, risk management, and security policies and procedures; and\n   \xe2\x80\xa2   Completion of the "As-Is" architecture with parallel mappings to the\n       requirements of the FEA Reference Models.\n\n\n       Recommendation A\n       To improve the Commission\xe2\x80\x99s Enterprise Architecture, OIT should implement\n       the actions described immediately above.\n\n\n\n\nEN TERPRISE A RCHITECTU RE (AUDI T 381)                                               MA\n\x0c'